How to stop disabled user accounts from syncing with Azure AD Connect

%3CLINGO-SUB%20id%3D%22lingo-sub-298384%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20stop%20disabled%20user%20accounts%20from%20syncing%20with%20Azure%20AD%26nbsp%3BConnect%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-298384%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20posting%20this.%20I%20just%20installed%20the%20latest%20version%20of%20Azure%20AD%20Connect%20on%20Windows%20Server%202016%20and%20it%20worked%20instantly.%20We%20have%20automated%20automatically%20disabling%20our%20accounts%20after%20a%20certain%20period%20of%20time%20so%20now%20only%20active%20accounts%20appear%20in%20Azure%20AD%20making%26nbsp%3Bthings%20easier%20to%20manage.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-67593%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20stop%20disabled%20user%20accounts%20from%20syncing%20with%20Azure%20AD%26nbsp%3BConnect%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-67593%22%20slang%3D%22en-US%22%3E%3CP%3ERegarding%20the%20expired%20or%20locked%20out%20accounts%2C%20it's%20already%20there%2C%20if%20you%20go%20through%20the%20article%3A%3C%2FP%3E%3CP%3E%22Select%20%3CSTRONG%3Euseraccountcontrol%3C%2FSTRONG%3E%20for%20the%20Attribute%20and%20then%20select%20the%20%3CSTRONG%3EISBITSET%3C%2FSTRONG%3E%20operator%20with%20a%20value%20of%202%20(If%20you%20want%20to%20know%20what%20is%20really%20this%20value%2C%20take%20a%20look%20here%3A%20%3CA%20title%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fkb%2F305144%22%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fkb%2F305144%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fkb%2F305144%3C%2FA%3E)%22.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-64033%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20stop%20disabled%20user%20accounts%20from%20syncing%20with%20Azure%20AD%26nbsp%3BConnect%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-64033%22%20slang%3D%22en-US%22%3E%3CP%3EThat%20one%20is%20easy%20though%2C%20I'd%20love%20to%20see%20more%20tricky%20examples%20published%20on%20docs.com%20or%20your%20blog.%20For%20example%20locked%20out%20accounts%2C%20or%20expired%20ones%2C%20or%20similar%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1227401%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20stop%20disabled%20user%20accounts%20from%20syncing%20with%20Azure%20AD%26nbsp%3BConnect%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1227401%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F11411%22%20target%3D%22_blank%22%3E%40Chris%20Spanougakis%3C%2FA%3E%26nbsp%3BI%20have%20done%20as%20per%20your%20write%20up%20but%20I%20still%20see%20the%20disabled%20account%20online.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-63718%22%20slang%3D%22en-US%22%3EHow%20to%20stop%20disabled%20user%20accounts%20from%20syncing%20with%20Azure%20AD%26nbsp%3BConnect%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-63718%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20again%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%20class%3D%22hfeed%20site%22%3E%3CDIV%20class%3D%22wrapper%22%3E%3CDIV%20class%3D%22site-content%22%3E%3CDIV%3E%3CDIV%20class%3D%22entry-content%22%3E%3CP%3EI%20was%20experimenting%20these%20days%20using%20Azure%20AD%20Connect%2C%20the%20tool%20that%20let's%20you%20synchronize%20your%20on-premises%20AD%20accounts%20to%20Azure%20AD.%20So%20I%20thought%3A%20what%20happens%20when%20you%20have%20some%20disabled%20user%20accounts%20in%20your%20on-premises%20AD%20environment%3F%20Do%20you%20really%20need%20them%20to%20synchronize%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EProbably%20not.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20we'll%20see%20what%20you%20have%20to%20do%20in%20case%20you%20don't%20want%20to%20bring%20up%20to%20Azure%20AD%20your%20disabled%20user%20accounts.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20read%20the%20rest%20of%20the%20article%20%3CA%20href%3D%22https%3A%2F%2Fspanougakis.wordpress.com%2F2016%2F02%2F28%2Fhow-to-stop-disabled-user-accounts-from-syncing-with-azure-ad-connect%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-63718%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Contributor

Hello again,

 

I was experimenting these days using Azure AD Connect, the tool that let's you synchronize your on-premises AD accounts to Azure AD. So I thought: what happens when you have some disabled user accounts in your on-premises AD environment? Do you really need them to synchronize?

 

Probably not.

 

So we'll see what you have to do in case you don't want to bring up to Azure AD your disabled user accounts.

 

Please read the rest of the article here.

4 Replies

That one is easy though, I'd love to see more tricky examples published on docs.com or your blog. For example locked out accounts, or expired ones, or similar :)

Regarding the expired or locked out accounts, it's already there, if you go through the article:

"Select useraccountcontrol for the Attribute and then select the ISBITSET operator with a value of 2 (If you want to know what is really this value, take a look here: https://support.microsoft.com/en-us/kb/305144)".

 

 

Thanks for posting this. I just installed the latest version of Azure AD Connect on Windows Server 2016 and it worked instantly. We have automated automatically disabling our accounts after a certain period of time so now only active accounts appear in Azure AD making things easier to manage.

@Chris Spanougakis I have done as per your write up but I still see the disabled account online.